Re: An HTTP->HTTPS upgrading strawman. (was Re: Upgrade mixed content URLs through HTTP header) from Brad Hill on 2015-02-05 (public-webappsec@w3.org from February 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 05 Feb 2015 21:52:36 +0000
To: Chris Palmer <palmer@google.com>
Cc: Mike West <mkwst@google.com>, Peter Eckersley <pde@eff.org>, Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Mark Nottingham <mnot@mnot.net>, Martin Thomson <martin.thomson@gmail.com>
Message-ID: <CAEeYn8iz4PHjmpbmsLBOFQhYjDp+_xDdrBwyDOoWaa8ENPg=0g@mail.gmail.com>

+1

On Thu Feb 05 2015 at 1:49:29 PM Chris Palmer <palmer@google.com> wrote:

> On Thu, Feb 5, 2015 at 1:18 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
> > Just FYI, that the websec WG in the IETF is basically in the process of
> > being decommissioned, so getting a standards-track RFC number for an
> updated
> > HSTS draft isn't likely to be a quick exercise.
>
> And that is a good thing. Standards should standardize existing
> known-to-work practice, not be untried designs (by committee). I
> suggest: document any HSTS extensions in Internet-Draft form; get 2
> open source implementations, try it out for a while and see if it
> works and if people really want it; and then optionally RFC-ify later.
>

Received on Thursday, 5 February 2015 21:53:05 UTC